Chapter 2. Audit and Record provisions relating to KYC Regulations of RBI
In our introductory chapter we took you through the major highlights that RBI master circular on KYC had and how it affected you as a regulated entity.
In this installment of the blog we shall discuss outsourcing and audit related stipulations.
All regulated entities are expected to comply with audit related provisions of KYC Policy, following is a list of major provisions that you should be aware of,
REs need to specify as to who constitute ‘Senior Management’ for the purpose of KYC compliance and allocate responsibility for effective implementation of policies and procedures
The Circular provides for appointment of designated director by the Board, to ensure overall compliance with the obligations under the PML Act and Rules. There is also a separate designation created for the post of Principal Officer. The Principal Officer shall be exclusively responsible for ensuring compliance, monitoring transactions, and sharing and reporting information as required under the law/regulations. The name, designation and address of the Designated Director and Principal Officer is to be communicated to the Financial Intelligence Unit- India. This shows the seriousness with which RBI plans to address the issue of ascribing liability to individual officers of REs which have been found to be in non-compliance. This is a direct adoption of the principle of “lifting the corporate veil” to make individual members of the management accountable for the KYC activities of the REs.
REs are to conduct independent evaluation of the compliance functions of policies and procedures, including legal and regulatory requirements
This requirement is indicating towards an independent third party audit of the legal and regulatory requirements by the REs. The compliance costs of REs substantially goes up ensuring that such independent evaluation is complete and up to date in an ever changing regulatory environment.
Concurrent/internal audit system to verify the compliance with KYC/AML policies and procedures
This requirement indicates the need for a KYC specific internal robust audit system to be in place to be able to comply with changing RBI, Unique Identification Data Authority of India’s prescribed requirements to conduct KYC. There is additionally a need to ensure submission of quarterly audit notes and compliance to the Audit Committee by the REs.
REs shall ensure that decision-making functions of determining compliance with KYC norms are not outsourced
Based on our understanding of the latest Master Circular, there is no express bar on a third party from allowing to carry out KYC (video or offline Aadhaar) on behalf of a lender who is a RBI regulated entity. But our interpretation is that the regulated entity will carry the final responsibility/obligation to ensure that KYC is carried out as per RBI norms. We believe that as a result of the Master Circular, even though a regulated entity can pass over/ contract out/delegate KYC functions to a third party, it can not absolve itself from liability in the event of failing to adhere to KYC norms, even if it contractually passes on the responsibility to third party which is helping him/her comply with the same.
This is the only outright/express bar on outsourcing/ delegation under the Master Circular. As the circular itself is silent on whether delegation of the KYC procedure itself should be allowed/ not allowed, we can conclude that there is nothing preventing delegation/outsourcing of KYC mechanism to a third party under the Circular as there is no express bar on the same.
Additional compliance relating to preservation and maintenance of records under Prevention of Money Laundering Act (PMLA)
The following steps shall be taken regarding maintenance, preservation and reporting of customer account information, with reference to provisions of PML Act and Rules. REs shall:
(a) maintain all necessary records of transactions between the RE and the customer, both domestic and international, for at least five years from the date of transaction: REs shall capture the KYC information for sharing with the Central KYC Records Registry (CKYCR), to receive, store, safeguard and retrieve the KYC records in digital form of a customer. “KYC Templates” means templates prepared to facilitate collating and reporting the KYC data to the CKYCR, for individuals and legal entities.
(b) preserve the records pertaining to the identification of the customers and their addresses obtained while opening the account and during the course of business relationship, for at least five years after the business relationship has ended and make available the identification records and transaction data to the competent authorities upon request. This requirement is providing for archiving of data. Accordingly REs need to ensure the same. The archived data can be either stored on cloud or hard drive and should be stored in India only and will typically contain the records of the KYC transaction.
(c) introduce a system of maintaining proper record of transactions prescribed under Prevention of Money Laundering (Maintenance of Records) Rules, 2005, as per which, every banking company, financial institution and intermediary shall maintain a record of inter alia, –
- All cash transactions of stipulated value, all cash transactions where forged or counterfeit currency notes or bank notes have been used as genuine and where any forgery of a valuable security has taken place; all suspicious transactions whether or not made in cash.
- Maintain all necessary information in respect of transactions prescribed under PML Rule 3 so as to permit reconstruction of individual transaction, including the following:
(i) the nature of the transactions;
(ii) the amount of the transaction and the currency in which it was denominated;
(iii) the date on which the transaction was conducted; and
(iv)the parties to the transaction.
(f) evolve a system for proper maintenance and preservation of account information in a manner that allows data to be retrieved easily and quickly whenever required or when requested by the competent authorities;
(g) maintain records of the identity and address of their customer, and records in respect of transactions referred to in Rule 3 in hard or soft format.
Each of these are interpretations of what we understood from the circular, depending on who you are and what business you are into you might have one or more variations of this and multiple laws to consider. In our next chapter to continue to demystify RBI’s circular.
Have a question? Ask us in the comment section below